DNS Zone transfers

Let's talk DNS Zone transfers.

What is a DNS Zone Transfer?

First of all, a DNS zone transfer is not an actual attack. It's an information gathering method to facilitate later attacks. In 'normal' circumstances, a DNS Zone Transfer is used to copy the zone file (a copy of all DNS names in a zone) from a master DNS server to a slave DNS server.

Why is it useful for a hacker?

When a DNS server is misconfigured, not only an authorized slave DNS server can request a copy of the zone file, but anyone asking will receive a copy. Basically you're asking the DNS information to give all the information it has on a given domain. This includes names, addresses and functionalities of all servers within a domain. Check out the awesome post by Zonetransfer.me for a detailed example of which information can be retrieved via a zone transfer and how this information can facilitate your hacking.

Examples

Although pre-made automated tools exists for DNS Zone Transfers (such as DNSRecon and DNSenum), I think it's worthwile to try it manually first as you will understand the mechanics better. We show some examples on Kali Linux. Let's go..

First, you identify the DNS servers for a given domain. Next, you try a zone transfer on each of these identified DNS servers. In this examples below we are going to do a zone transfer on Zonetransfer.me which has specifically being installed for this purpose.